HIPAA Breach Notification Rule Explained: Examples, Penalties, and Documentation Steps

Definition of Breach

Under the HIPAA Breach Notification Rule, a breach is an impermissible use or disclosure of Protected Health Information (PHI) that compromises its security or privacy. The rule presumes a breach has occurred unless you demonstrate, via a documented Risk Assessment, a low probability that PHI was compromised.

The rule applies to Unsecured PHI—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. Strong encryption or proper destruction typically removes data from the “unsecured” category, provided the keys are safe and recovery is not feasible.

Discovery of a breach

A breach is “discovered” on the first day you know of it, or should have known using reasonable diligence. That date starts all notification timelines, even if your investigation continues.

Illustrative examples

• An unencrypted laptop with patient schedules and diagnoses is stolen from a car. This is a presumptive breach of Unsecured PHI.
• A staff member emails a lab report to the wrong patient. Unless your Risk Assessment shows a low probability of compromise, this is a breach.
• Ransomware encrypts your EHR. If exfiltration or viewing cannot be ruled out, treat as a breach absent evidence to the contrary.
• A fully encrypted device is lost, and the keys are intact and not accessible. This is typically not a breach because the PHI is not unsecured.

Exceptions to Breach Definition

HIPAA recognizes three limited exceptions where an impermissible use or disclosure is not a breach:

• Unintentional access, acquisition, or use by a workforce member or person acting under your authority, in good faith and within scope, with no further improper use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further improper use or disclosure.
• A good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, unopened mail returned, or immediate retrieval with evidence it was not viewed).

Examples that fit the exceptions

• A nurse opens the wrong chart briefly, recognizes the mistake, closes it, and reports it. No further use occurs.
• A billing specialist emails PHI to a coder on the same team who is authorized to see it; the coder deletes it because it was sent in error.
• A package with PHI is returned unopened by the postal service; records show it remained sealed throughout transit.

Breach Notification Requirements

If Unsecured PHI is breached, you must notify affected individuals, and in some cases the media and the Secretary of Health and Human Services (HHS). Business associates must notify the covered entity. All notifications must occur without unreasonable delay and no later than 60 calendar days from discovery.

Begin immediate containment, mitigation, and a Risk Assessment. Notification is per incident, not per person, and you must document all decisions. If data were properly secured, notifications are not required, but you should still investigate and record your findings as Compliance Documentation.

Business associate duties

• Notify the covered entity without unreasonable delay and within 60 calendar days of discovery.
• Provide the identities of affected individuals and any information needed for the covered entity’s notices.
• Follow any shorter timelines required by the business associate agreement.

Law enforcement delay

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. Obtain a written statement specifying the delay period, or document an oral statement and secure written confirmation within 30 days.

Individual Notice Requirements

You must notify each affected individual by first-class mail to the last known address, or by email if the individual agreed to electronic notice. If the individual is deceased, send notice to the next of kin or personal representative when appropriate.

Required content (plain language)

• A brief description of what happened, including the date of the breach and date of discovery, if known.
• The types of PHI involved (for example: name, address, medical record number, diagnosis, treatment, or financial data).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent further incidents.
• Contact information for questions: a toll-free number, email, postal address, or website.

Substitute notice when contact data are insufficient

• Fewer than 10 individuals: use an alternative method reasonably calculated to reach the person (e.g., telephone).
• 10 or more individuals: provide a conspicuous posting on your website home page for at least 90 days or notice in major print/broadcast media in areas where affected individuals likely reside, plus a toll-free number active for 90 days.

Media and Secretary Notification

If a breach affects more than 500 residents of a single state or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. The media notice should include the same core elements as the individual notice.

Notify the HHS Secretary as follows: for breaches involving 500 or more individuals, report without unreasonable delay and within 60 calendar days of discovery; for fewer than 500 individuals, log the incident and submit the annual report no later than 60 days after the end of the calendar year in which the breach was discovered (for example, by March 1 for breaches discovered the prior year).

Practical example

If 750 patients in one state are affected, you must provide individual notices, notify media serving that state within 60 days, and report to HHS within the same timeframe. If 40 patients are affected, provide individual notices now and include the event on your year-end report to HHS.

Penalties for Non-Compliance

OCR enforces the Breach Notification Rule through tiered Civil Penalties that scale with the level of culpability—from lack of knowledge to willful neglect—and whether you corrected the issue. Financial exposure can reach millions of dollars per year for identical violations, in addition to corrective action plans and multi-year monitoring.

Criminal Penalties, enforced by the Department of Justice, apply to certain wrongful disclosures of PHI. Penalties can include fines and imprisonment, with the most serious offenses—such as disclosures for personal gain, commercial advantage, or malicious harm—punishable by up to 10 years in prison.

Common pitfalls that trigger enforcement

• Failure to conduct or document a Risk Assessment showing low probability of compromise.
• Missing the 60-day notification deadline or providing incomplete notices.
• Not encrypting portable devices that store PHI and lacking compensating controls.
• Inadequate policies, training, or business associate oversight.

Documentation and Risk Assessment

Strong Compliance Documentation demonstrates diligence and often mitigates enforcement risk. Build a repeatable process that captures the facts, decisions, and timelines from discovery through closure.

Conducting the Risk Assessment

• Nature and extent of PHI: identify data elements, sensitivity, and likelihood of re-identification.
• Unauthorized person: assess who received or could access the PHI and their obligations to protect it.
• Whether PHI was actually acquired or viewed: look for logs, forensic evidence, or credible attestations.
• Mitigation: evaluate steps taken (e.g., retrieval, reset, attestation of non-use, credit monitoring) and their effectiveness.

Documentation steps (what to record and retain)

• Discovery details: date/time, who discovered, systems involved, and initial containment actions.
• Classification: whether PHI was Unsecured PHI; number of affected individuals and jurisdictions.
• Risk Assessment: analysis of the four factors, conclusion on probability of compromise, and rationale.
• Notifications: drafts and final copies of individual, media, and Secretary notices; mailing/email proofs; call center scripts.
• Law enforcement interactions: any delay requests and confirmations.
• Mitigation: services offered, remediation steps, and verification of completion.
• Root cause and corrective actions: policy updates, technical controls (e.g., encryption), training, and monitoring plans.
• Business associate coordination: notices received/sent and contract compliance.
• Retention: keep all records, policies, and related correspondence for at least six years.

Operational tips

• Pre-draft notice templates and checklists to accelerate response while ensuring accuracy.
• Maintain an incident log that tracks deadlines automatically and flags the 60-day limit.
• Run periodic tabletop exercises so staff can execute the Breach Notification Rule under pressure.

Key takeaways

• Act fast: contain, investigate, and start your Risk Assessment immediately upon discovery.
• Notify on time: 60 calendar days is a hard outer limit—earlier is better.
• Document everything: thorough Compliance Documentation is both required and protective.
• Prevent recurrences: encryption, least-privilege access, and training reduce breach risk and penalties.

FAQs

What qualifies as a breach under HIPAA?

A breach is an impermissible use or disclosure of Unsecured PHI that compromises its privacy or security. It is presumed a breach unless your documented Risk Assessment shows a low probability that the PHI was compromised, considering factors like data sensitivity, who received it, whether it was actually viewed, and mitigation.

When must covered entities notify individuals about a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days from the date of discovery. Notice is by first-class mail or email (if the individual agreed). If contact information is insufficient, use substitute notice as required.

What penalties exist for failure to comply with breach notification?

OCR may impose tiered Civil Penalties scaled to culpability and annual caps, along with corrective action plans and monitoring. Certain wrongful disclosures can trigger Criminal Penalties, including fines and imprisonment of up to 10 years for offenses involving personal gain, commercial advantage, or malicious harm.

How should covered entities document compliance with breach notification requirements?

Maintain comprehensive records of discovery, investigation, Risk Assessment findings, notification content and timing, mitigation steps, law enforcement interactions, and corrective actions. Keep this Compliance Documentation for at least six years to demonstrate due diligence and support audits or investigations.